Re: [Hampshire] Firewall stuff

Top Page
This message is part of the following thread:
M+-+\the complete thread tree sorted by date
MM\MMIsaac Close at <-
MMMMAdrian Bridgett at ->

Reply to this message
Author: Vic
Date:  
To: hampshire
Subject: Re: [Hampshire] Firewall stuff
> And whats added to the situation is that one of my boxes got heavily
> spammed on monday resulting in a fairly bad DoS.

So the problem is not that traffic from an unwanted port is DoSing your
box, it's that you have excessive loads on port 25. That's important...

> Normally when i build an email server I have a recipient accept list, that
> is, any name not on the list gets bounced by Postfix, and thus NOT
> processed by spamassasin etc. If this was in place on Monday, there would
> not have been a DoS as it was only 11,000 spams during the day, which I
> consider not too bad.

There is a school of thought that says that's the way to do it - if you
reject by bad addresses first, you leak your valid address list to
spammers. But I don't subscribe to that - check for valid recipients
first, or your load goes through the roof...

> However since i'm using a 'recommended' SME (rubbish) server as a bet, it
> fell to its knees to my delight.

I've never used SME server, so I can't comment on the specifics - but it
doesn't sound like the sort of thing I'd want to do.

> That's only a start. The person in
> question arguing the toss states that I need a hardware firewall, for
> example 'endian'.
>
> No I don't, i use iptables.
>
> Without harping on too much about this subject, i was wondering about
> other peoples opinions about the need for a BIG SHINEY EXPENSIVE
> EVERYTHING WILL BE OK BS FIREWALL BOX, and perhaps to know what other
> people are using.

Well, IME many "hardware firewalls" are actually a Linux/*BSD box running
iptables. I would say yer matey probably only knows how to defend Windows
boxes against DoS...

But as I said above - the traffic that's causing your problem is coming in
on a port that you want to be open. That means that you can only filter by
source address or suchlike - and that's not very effective against a DDoS.
If you can pin down a few IP addresses that are doing damage - use
iptables on the mailserver (or somewhere en route to it). But what you
cannot do is to blindly shut ports, because that will kill your wanted
email traffic.

> I want to be wrong.

I've got some bad news for you, then, 'cos I think you're right.

Vic.



This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] ISPs (again): Recommendation and warningRe: [Hampshire] ISPs (again): Recommendation and warning->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)